W3C home > Mailing lists > Public > public-webapps@w3.org > April to June 2011

Re: Reminder: RfC: Last Call Working Draft of Web Workers; deadline April 21

From: Andrew Wilson <atwilson@google.com>
Date: Wed, 20 Apr 2011 13:40:50 -0700
Message-ID: <BANLkTi=-AJz1pRz3CPV_Qtu3cY8dP4jYpQ@mail.gmail.com>
To: "Tab Atkins Jr." <jackalmage@gmail.com>
Cc: Travis Leithead <Travis.Leithead@microsoft.com>, Arthur Barstow <art.barstow@nokia.com>, "public-webapps-request@w3.org" <public-webapps-request@w3.org>, Adrian Bateman <adrianba@microsoft.com>, public-webapps <public-webapps@w3.org>
On Wed, Apr 20, 2011 at 12:54 PM, Tab Atkins Jr. <jackalmage@gmail.com>wrote:

> Please correct me if I'm missing something, but I don't see any new
> privacy-leak vectors here.  Without Shared Workers, 3rdparty.com can
> just hold open a communication channel to its server and shuttle
> information between the iframes on A.com and B.com that way.

Agreed. Even in the absence of a server, wouldn't those iframes also be able
to communicate via cookies, or localStorage, or any other common data shared
across the domain? I'd be curious about what specific privacy violations
this enables that couldn't already be done in other ways that IE9 does

Also, the PDF you link to describes a DoNotTrack HTTP header/DOM attribute
and a filter list for preventing network access to specific domains - I'm
not certain how either of those pertain to this issue (other than the fact
that said filter lists would equally apply to network connections used from
worker context). Can you provide some clarification of your concerns?
Received on Wednesday, 20 April 2011 20:41:36 UTC

This archive was generated by hypermail 2.3.1 : Friday, 27 October 2017 07:26:31 UTC